Governance

Closing the Digital Competency Gap in the Boardroom

/ Hans van 't Riet / Leave a comment

This article is based on a thesis I have written for the Supervisory Board program (NCC 73) at Nyenrode University, which I will complete this month. I set out to answer a practical question: how can supervisory boards close the digital competency gap so their oversight of digitalization and AI is effective and value-creating?

The research combined literature, practitioner insights, and my own experience leading large-scale digital transformations. The signal is clear: technology, data, and AI are no longer specialist topics—they shape strategy, execution, and resilience. Boards that upgrade their competence change the quality of oversight, the shape of investment, and ultimately the future of the company.

1) Business model transformation

Digital doesn’t just add channels; it rewrites how value is created and captured. The board’s role is to probe how data, platforms, and AI may alter customer problem–solution fit, value generation logic, and ecosystem position over the next 3–5–10 years. Ask management to make the trade-offs explicit: which parts of the current model should we defend, which should we cannibalize, and which new options (platform plays, data partnerships, embedded services) warrant small “option bets” now?

What to look out for: strategies that talk about “going digital” without quantifying how revenue mix, margins, or cash generation will change. Beware dependency risks (platforms, app stores, hyperscalers) that shift bargaining power over time. Leverage scenario planning and clear leading indicators—so the board can see whether the plan is working early enough to pivot or double down.

2) Operational digital transformation

The strongest programs are anchored in outcomes, not output. Boards should ask to see business results expressed in P&L and balance-sheet terms (growth, cost, capital turns), not just “go-live” milestones. Require a credible pathway from pilot to scale: gated tranches that release funding when adoption, value, and risk thresholds are met; and clear “stop/reshape” criteria to avoid sunk-costs.

What to look out for: “watermelon” reporting— that stay green while progress/adoption is behind; vendor-led roadmaps that don’t fit the architecture; and under-resourced change management. As a rule of thumb, ensure 10–15% of major transformation budgets are reserved for change, communications, and training. Ask who owns adoption metrics and how you’ll know—early—that teams are using what’s been built.

3) Organization & culture

Technology succeeds at the speed of behaviour change. The board should examine whether leadership is telling a coherent story (why/what/how/who) and whether middle management has the capacity to translate it into local action. Probe how AI will reshape roles and capabilities, and whether the company has a reskilling plan that is targeted, measurable, and linked to workforce planning.

What to look out for: assuming tools will “sell themselves,” starving change budgets, and running transformations in a shadow lane disconnected from the real business. Look for feedback loops—engagement diagnostics, learning dashboards, peer-to-peer communities—that surface resistance early and help leadership course-correct before adoption stalls.

4) Technology investments

Oversight improves dramatically when the board insists on a North Star architecture that makes trade-offs visible: which data foundations come first, how integration will work, and how security/privacy are designed in. Investments should be staged, with each tranche linked to outcome evidence and risk mitigation, and with conscious decisions about vendor lock-in and exit options.

What to look out for: shiny-tool syndrome, financial engineering that ignore lifetime Total Cost of Ownership (TCO), and weak vendor due diligence. Ask for risk analysis (e.g., cloud and vendor exposure) and continuity plans that are actually tested. Expect architecture reviews by independent experts on mission-critical choices, so the board gets a clear view beyond vendor narratives.

5) Security & compliance

Cyber, privacy, and emerging AI regulation must be treated as enterprise-level risks with clear ownership, KPIs, and tested recovery playbooks. Boards should expect regular exercises and evidence that GDPR, NIS2, and AI governance are embedded in product and process design—not bolted on at the end.

What to look out for: “tick-the-box” compliance that produces documents rather than resilience, infrequent or purely theoretical drills, and untested backups. Probe third-party and supply-chain exposure as seriously as internal controls. The standard is not perfection; it’s informed preparedness, repeated practice, and to learn from near-misses.

Seven structural moves that work

  1. Make digital explicit in board profiles. Use a competency matrix that distinguishes business-model, data/AI, technology, and cyber/compliance fluency. Recruit to close gaps or appoint external advisors—don’t hide digital under a generic “technology” label.
  2. Run periodic board maturity assessments. Combine self-assessment with executive feedback to identify capability gaps. Tie development plans to the board calendar (e.g., pre-strategy masterclasses, deep-dives before major investments).
  3. Hard-wire digital/AI into the agenda. Move from ad-hoc updates to a cadence: strategy and scenario sessions, risk and resilience reviews, and portfolio health checks. Make room for bad news early so issues surface before they become expensive.
  4. Adopt a board-level Digital & IT Cockpit. Track six things concisely: run-the-business efficiency, risk posture, innovation enablement, strategy alignment, value creation, and future-proofing (change control, talent, and architecture). Keep trends visible across quarters.
  5. Establish a Digital | AI Committee (where applicable). This complements—not replaces—the Audit Committee. Mandate: opportunities and threats, ethics and risk, investment discipline, and capability building. The committee prepares the ground; the full board takes the decisions.
  6. Use independent expertise by default on critical choices. Commission targeted reviews (architecture, vendor due diligence, cyber resilience) to challenge internal narratives. Independence is not a luxury; it’s how you avoid groupthink and discover blind spots in time.
  7. Onboard and upskill continuously. Provide a digital/AI onboarding for new members; schedule briefings with external experts; and use site visits to see real adoption. Treat learning like risk management: systematic, scheduled, and recorded.

Do you need a separate “Digital Board”?

My reflection: competence helps, but time and attention are the true scarcities. In digitally intensive businesses—where data platforms, AI-enabled operations, and cyber exposure shape enterprise value and are moving fast—a separate advisory or oversight body can deepen challenge and accelerate learning. It creates space for structured debate on architecture, ecosystems, and regulation without crowding out other board duties.

This isn’t a universal prescription. In companies where digital is material but not defining, strengthening the main board with a committee and better rhythms is usually sufficient. But when the operating model’s future rests on technology bets, a dedicated Digital Board (or equivalent advisory council) can bring the needed altitude, continuity, and specialized challenge to help the supervisory board make better, faster calls.

What this means for your next board cycle

The practical message from the thesis is straightforward: digital oversight is a core board responsibility that can be institutionalised. Start by clarifying the capability you need (the competency matrix), then hard-wire the conversation into the board’s rhythms (the agenda and cockpit), and raise the quality of decisions (staged investments, independent challenge, real adoption metrics). Expect a culture shift: from project status to value realization, from tool choice to architecture, from compliance as paperwork to resilience as practice.

Most importantly, treat this as a journey. Boards that improve a little each quarter—on fluency, on the sharpness of their questions, on the discipline of their investment decisions—create compounding advantages. The gap closes not with a single appointment or workshop, but with deliberate governance that learns, adapts, and holds itself to the same standard it asks of management.

When Good Intentions Fail – Why Effective Governance Is the Fix

/ Hans van 't Riet / Leave a comment

While many organizations focus on technology, data, and capabilities, it’s the governance structures that align strategy with execution, enable informed decision-making, and ensure accountability. Without effective governance, even the most promising digital or AI initiatives risk becoming fragmented, misaligned, or unsustainable.

This article explores how governance typically evolves during transformation, drawing on a framework presented in GAIN by Michael Wade and Amit Joshi (2025). It then outlines best practices and tools for establishing effective governance at every level of transformation—portfolio, program, and project.

The Governance Journey: From Silo to Anchored Agility
Wade and Joshi identify four phases in the evolution of transformation governance:

  • Silo: In this early phase, digital and AI initiatives are isolated within departments. There is little coordination across the organization, leading to duplicated efforts and fragmented progress.
  • Chaos: As a reaction to the issues with the siloed approach, often companies start putting governance in place—but often not very effectively. Leading to a proliferation of processes, tools and platforms.
  • Bureaucracy: In response to chaos, organizations implement formal governance structures. While this reduces risk and increases control, it can also stifle innovation through over-regulation and sluggish decision-making.
  • Anchored Agility: The desired end-state. Governance becomes a strategic enabler—embedded yet flexible. It ensures alignment and control without constraining innovation. Decision-making is delegated appropriately, while strategic oversight is maintained.

Most organisations go through this journey, understanding where your organization is helps to determine what kind of actions are needed and what to improve.

Effective Governance: Moving from Bureaucracy to Anchored Agility
Most successful digital and AI transformations mature into the Bureaucracy and Anchored Agility phases. These are the phases where effective governance must strike a balance between structure and adaptability.

Two proven approaches—PMI and Agile—offer best practices to draw from:

PMI Governance Best Practices

  • Well-defined roles and responsibilities across governance layers
  • Program and project charters to formalize scope, authority, and accountability
  • Clear stage gates, with decision points tied to strategic goals
  • Risk, issue, and change control mechanisms
  • Standard reporting templates to ensure transparency and comparability

PMI’s approach works best in large, complex transformations that require strong coordination, predictable delivery, and control of interdependencies.

Agile Governance Principles

  • Empowered teams with clear decision rights
  • Frequent review cadences (e.g., sprint reviews, retrospectives, and PI planning)
  • Lightweight governance bodies focused on alignment, not control
  • Transparent backlogs and prioritization frameworks
  • Adaptability built into the governance process itself

Agile governance is ideal for fast-evolving digital or AI initiatives where experimentation, speed, and responsiveness are critical.

Moving from Bureaucracy to Anchored Agility, is not moving away from PMI to only Agile Governance principles. Your portfolio probably will have mix of initiatives which leverages one or both of the approaches.

Governance Across Levels: Portfolio, Program, Project
A layered governance model helps ensure alignment from strategy to execution:

Portfolio Level

  • Purpose: Strategic alignment, investment decisions, and value realization
  • Key Bodies: Executive Steering Committees, Digital/AI Portfolio Boards
  • Focus Areas: Prioritization, funding, overall risk and performance tracking

Program Level

  • Purpose: Coordinating multiple related projects and initiatives
  • Key Bodies: Program Boards or Program Management Offices
  • Focus Areas: Interdependencies, resource allocation, milestone tracking, issue resolution

Project Level

  • Purpose: Delivering tangible outcomes on time and on budget
  • Key Bodies: Project SteerCos, Agile team ceremonies
  • Focus Areas: Daily execution, scope management, risk and issue tracking, delivery cadence

Connecting the Layers: How Governance Interacts and Cascades
Effective governance requires more than clearly defined levels—it demands a dynamic flow of information and accountability across these layers. Strategic priorities must be translated into executable actions, while insights from execution must feed back into strategic oversight.

  • Top-down alignment: Portfolio governance sets strategic objectives, funding allocations, and key performance indicators. These are cascaded to programs and projects through charters, planning sessions, and KPIs.
  • Bottom-up reporting: Project teams surface risks, status updates, and learnings which are aggregated at the program level and escalated to the portfolio when needed.
  • Horizontal coordination: Programs often interact and depend on each other. Governance forums at program level and joint planning sessions across programs help manage these interdependencies.
  • Decision and escalation pathways: Clear routes for issue resolution and decision-making prevent bottlenecks and ensure agility across layers.

Organizations that master this governance flow operate with greater transparency, speed, and alignment.

Tools and Enablers for Good Governance
Governance is not just about structure—it’s also about enabling practices and tools that make oversight effective and efficient:

  • Terms of Reference (ToR): Define the mandate, decision rights, and meeting cadence for each governance body.
  • Collaboration & Transparency Tools: Use of platforms like Asana, Confluence, Jira, MS Teams for sharing updates, tracking decisions, and managing workflows.
  • Standardized Reporting: Leverage consistent templates for status, risks, and KPIs to create transparency and drive focus.
  • RACI Matrices: Clarify roles and decision-making authority across stakeholders, especially in cross-functional setups.
  • Governance Calendars: Synchronize key reviews, steerco meetings, and strategic checkpoints across layers.

Lessons from the Field
From my experience, common governance pitfalls include over-engineering (which stifles agility), under-resourcing (especially at the program level), and slow/unclear decision making. Successful governance relies on:

  • Aligned executive sponsorship
  • Clear ownership at all levels
  • Integration of risk, value, and resource management
  • Enabling people to act

Conclusion
In digital and AI transformation, effective governance is not about control—it’s about enablement. It provides the structure and transparency needed to drive transformation, align stakeholders, and scale success. As your organization moves toward Anchored Agility, governance becomes less of a bottleneck and more of a backbone.

Where is your organization on the governance journey—and what would it take to reach the next phase?

Effective Risk Management in Digital Transformation

/ Hans van 't Riet / Leave a comment

1. Introduction

Organizational transformations represent some of the most complex undertakings in business. According to research by McKinsey & Company (2019), nearly 70% of transformations fail to achieve their stated objectives, with inadequate risk management frequently cited as a contributing factor.

Effective risk management requires a structured approach where risks are identified, assessed, and mitigated at the appropriate levels:

  • Portfolio Risks – Strategic risks impacting the entire transformation, requiring executive oversight. Examples include: resource allocation, organizational capacity for change, external (market/regulatory) and financial sustainability risks.
  • Program Risks – Cross-project risks affecting multiple initiatives, managed at the program level. Examples include: interdependencies/resource conflicts between projects, timeline/milestone risks, development, technical integration, adoption, and benefit realization risks.
  • Project Risks – Operational and execution risks handled by project teams. Examples include: scope/requirements, schedule, budget, resource, quality, performance, team capability/capacity, and stakeholder acceptance risks.

A clear governance structure ensures that risks are escalated to the right level—whether the Executive Steering Committee, Program Leadership, or Project Management—for timely decision-making and intervention.

2. Risk Management in Transformation Governance

To embed risk management into transformation governance effectively, organizations must:

  • Define risk ownership at different levels (executive, program, project).
  • Establish governance bodies with clear escalation mechanisms.
  • Integrate risk reviews into decision-making forums.
  • Ensure risk reporting is transparent, structured, and aligned with transformation objectives.

3. Risk Assessment & Mapping Tools

Several proven tools can help organizations systematically assess and map risks:

  1. Risk Matrix (Probability vs. Impact): Prioritizes risks based on likelihood and severity.
  2. Risk Breakdown Structure (RBS): Categorizes risks by type (strategic, organizational, operational, financial, technical, change management, etc.).
  3. Bow-Tie Analysis: For high-priority risks, visualizes potential causes, consequences, and controls for a given risk.
  4. Monte Carlo Simulations: Provides probabilistic forecasting for risk impact on budgets and timelines.
  5. SWIFT (Structured What-If Technique): Facilitates structured brainstorming on potential risks.

Each of these tools helps organizations gain visibility into risks and prepare for effective mitigation.

4. Mitigation Planning & Execution

Risk mitigation involves defining structured responses based on the nature and severity of risks:

  • Avoid: Eliminating the risk by altering the transformation approach.
  • Mitigate: Reducing the impact or probability through proactive measures.
  • Transfer: Shifting the risk to a third party (e.g., insurance, outsourcing).
  • Accept: Acknowledging the risk with contingency plans in place.

A Risk Register should be maintained to track risks, owners, mitigation actions, timelines, resources, and follow-ups. Additionally, mitigation progress should be reviewed in governance forums to ensure accountability and timely interventions.

5. A Step-by-Step Guide to Implementing Risk Management

  1. Risk Management Framework: Agree on the objectives, structure, policies, and procedures.
  2. Risk Identification: Engage stakeholders and put mechanisms in place across all levels to surface risks early.
  3. Risk Assessment: Use structured tools to break risks down, categorize them, and evaluate the likelihood and impact.
  4. Risk Prioritization: Align risk priorities with transformation goals and organizational risk appetite.
  5. Mitigation Strategy Development: Define risk responses (avoid, transfer, mitigate, accept) and allocate necessary resources.
  6. Governance & Oversight: Integrate risk reviews into transformation governance structures, with dedicated risk review sessions.
  7. Ongoing Monitoring & Communication: Establish reporting mechanisms, including risk trend reporting, and continuous improvement processes.

6. Example – Global Financial Services Transformation

A major financial institution undertaking a digital transformation employed a three-tiered risk management approach:

Portfolio Level (Executive Steering Committee)
The ESC focused on strategic risks including regulatory compliance, competitive disruption, and organizational capacity for change. They established quarterly “risk deep dives” where each transformation workstream presented their top risks and mitigation strategies. The ESC maintained a portfolio-level risk contingency reserve, allocating funds to address emerging risks based on severity and alignment with strategic priorities.

Program Level (Transformation Office)
The Transformation Office implemented a “Risk Guild” comprising risk owners from each workstream who met bi-weekly to identify cross-program dependencies and risks. They employed a sophisticated risk visualization dashboard that highlighted interdependencies between workstreams and potential cascading impacts. The office also maintained a centralized risk register with automated escalation of risks that exceeded defined thresholds.

Project Level (Agile Teams)
Individual teams incorporated risk identification into their sprint planning and retrospectives, with “risk spikes” allocated to investigate high-priority uncertainties. Teams used “risk-adjusted story points” to account for implementation uncertainties in their capacity planning. A “see something, say something” culture encouraged anyone to raise potential risks through a simple digital form.

The results were impressive: while industry benchmarks suggested that 70% of financial services transformations fail to meet objectives, this institution achieved 85% of its targeted benefits within the planned timeframe.

7. Common Pitfalls and How to Avoid Them

Risk Management as Compliance Exercise

  • Problem: Risk management becomes a bureaucratic checkbox exercise rather than a decision-making tool.
  • Solution: Focus on decision-relevance by integrating risk discussions directly into key decision points. Emphasize how risk information has influenced specific decisions. Use concrete, specific risk descriptions rather than generic categories.

Overemphasis on Documentation

  • Problem: Teams spend more time documenting risks than managing them.
  • Solution: Simplify documentation requirements, focusing on action-oriented information. Implement user-friendly tools that minimize administrative burden. Establish “one source of truth” rather than duplicative risk registers.

Failure to Close the Loop

  • Problem: Identified risks have mitigation plans, but no one follows up on implementation.
  • Solution: Implement clear accountability for mitigation actions with regular status reviews. Treat high-priority risk mitigations as projects with defined deliverables, timelines, and resources. Celebrate successful risk mitigation.

Risk Isolation

  • Problem: Risk management operates in isolation from other management processes.
  • Solution: Integrate risk considerations into strategic planning, resource allocation, and performance management. Use consistent language and frameworks across processes. Ensure risk owners participate in relevant decision forums.

Static Approach

  • Problem: Risk register becomes a static document that doesn’t evolve with changing circumstances.
  • Solution: Implement regular risk refresh cycles. Establish triggers for out-of-cycle risk reviews based on internal or external events. Create mechanisms to identify and assess emerging risks.

8. Conclusion

Risk management in organizational transformation is not a peripheral activity but a central governance function that enables informed decision-making and increases the likelihood of success. By implementing a multi-layered approach that addresses portfolio, program, and project risks, organizations can navigate the inherent uncertainties of transformation with greater confidence.

The tools, frameworks, and step-by-step guide outlined in this article provide a roadmap for implementing robust risk management practices. However, the most important factor is creating a risk-aware culture where identifying and managing risks becomes part of everyone’s responsibility.